cbcvebase.
CVE-2019-17440
published 2019-12-20

CVE-2019-17440: Improper restriction of communications to Log Forwarding Card (LFC) on PA-7000 Series devices with second-generation Switch Management Card (SMC) may allow an…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.68%
74.0th percentile
Improper restriction of communications to Log Forwarding Card (LFC) on PA-7000 Series devices with second-generation Switch Management Card (SMC) may allow an attacker with network access to the LFC to gain root access to PAN-OS. This issue affects PAN-OS 9.0 versions prior to 9.0.5-h3 on PA-7080 and PA-7050 devices with an LFC installed and configured. This issue does not affect PA-7000 Series deployments using the first-generation SMC and the Log Processing Card (LPC). This issue does not affect any other PA series devices. This issue does not affect devices without an LFC. This issue does not affect PAN-OS 8.1 or prior releases. This issue only affected a very limited number of customers and we undertook individual outreach to help them upgrade. At the time of publication, all identified customers have upgraded SW or content and are not impacted.

Affected

3 ranges
VendorProductVersion rangeFixed in
palo_alto_networkspan-os>= 9.0 < 9.0.5-h39.0.5-h3
paloaltopan-os
paloaltonetworkspan-os9.0 – 9.0.5

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability affects PA-7080 and PA-7050 devices running PAN-OS 9.0 prior to 9.0.5-h3 with a Log Forwarding Card (LFC) installed and configured alongside a second-generation Switch Management Card (SMC). Detect exploitation attempts by monitoring for unexpected network sessions destined to the LFC.
  • Content update 8218-5815 remediates the improper restriction of LFC communications without requiring a full software upgrade. Absence of this content update on affected hardware is an indicator of exposure.
  • Monitor for any network sessions originating from untrusted sources and destined to the LFC management interface. The vendor recommends configuring security policies to block such sessions as a workaround, implying direct network reachability to the LFC is the attack vector.
  • ·The vulnerability only applies when a Log Forwarding Card (LFC) is physically installed AND configured. Devices without an LFC are not affected, regardless of PAN-OS version.
  • ·Only PA-7000 Series devices with the second-generation SMC are affected. Deployments using the first-generation SMC with a Log Processing Card (LPC) are not impacted.
  • ·PAN-OS 8.1 and all prior releases are not affected. The vulnerability is scoped exclusively to PAN-OS 9.0 versions before 9.0.5-h3.
  • ·Applying content update 8218-5815 as a workaround is only a temporary measure. Operators must ensure the next PAN-OS upgrade targets a fixed version (9.0.5-h3 or later), as upgrading or downgrading to an affected release can reintroduce the vulnerability.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.